Modula Image Gallery WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Modula Image Gallery plugin for WordPress, specifically in versions 2.13.1 to 2.13.2. This issue arises from inadequate file path validation in the 'ajax_unzip_file' function. As a result, authenticated attackers with Author-level access or higher can delete arbitrary files on the server. Exploiting this vulnerability could lead to remote code execution, particularly if a critical file like wp-config.php is deleted.

Impact

Successful exploitation of this vulnerability allows authenticated users with Author-level access or higher to delete arbitrary files on the server. This could potentially lead to remote code execution, especially if a sensitive file such as wp-config.php is removed.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can upload a ZIP file containing images through the WordPress media uploader. After the upload, the user can trigger the 'ajax_unzip_file' function, which will extract the ZIP file but also allow for the deletion of specified files on the server. This can be done by manipulating the file paths in the AJAX request to target sensitive files.

Remediation

Users are advised to update the Modula Image Gallery plugin to version 2.13.3 or a newer patched version.